OfficeMRU

Overview

Evidence: OfficeMRU
Description: Enumerate OfficeMRU
Category: System
Platform: windows
Short Name: officemru
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Microsoft Office applications maintain Most Recently Used (MRU) lists of documents that users have opened. These lists are stored in the user’s registry and include file paths and access timestamps embedded in the registry value data.

Office MRU can reveal which documents users were working with, including documents on network shares, removable drives, and deleted files.

Data Collected

This collector gathers structured data about officemru.

OfficeMRU Data

Field	Description	Example
`Path`	Document file path	C:\Users\user\Documents\report.docx
`OpenedOn`	When file was opened	2023-10-15T14:30:00
`Value`	Registry value name	Item 1
`Username`	User account name	user
`KeyPath`	Registry key path	Software\Microsoft\Office\16.0\Word\File MRU
`LastWriteTime`	Registry key last write time	2023-10-15T14:30:00
`RegPath`	Path to registry hive	Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for Office MRU keys:
- Software\Microsoft\Office\*\*\File MRU
- Software\Microsoft\Office\*\*\Place MRU
- Software\Microsoft\Office\*\*\User MRU\*\File MRU
- Software\Microsoft\Office\*\*\User MRU\*\Place MRU
Parses value data to extract file paths and timestamps
Decodes embedded FILETIME values from registry data

The registry value format: [F00000000][T01D7A5B69601F2E0]*C:\path\to\file.docx

Forensic Value

Office MRU provides evidence of document access and user activity with Office files. Investigators use this data to identify recently accessed sensitive documents, track document access on network shares, establish document access timelines, detect access to deleted documents, identify documents of interest, correlate with file system artifacts, and prove user interaction with specific files.